Sophos Bloghttp://blogs.sophos.com
Security made simpleTue, 03 Mar 2015 14:40:02 +0000enhourly1http://wordpress.com/http://0.gravatar.com/blavatar/840926369b171ab9a52ca45c15b95eee?s=96&d=http%3A%2F%2Fs2.wp.com%2Fi%2Fbuttonw-com.pngSophos Bloghttp://blogs.sophos.com
What healthcare orgs should know about the Anthem breach and HIPAA compliancehttp://blogs.sophos.com/2015/02/26/what-healthcare-orgs-should-know-about-the-anthem-breach-and-hipaa-compliance/
http://blogs.sophos.com/2015/02/26/what-healthcare-orgs-should-know-about-the-anthem-breach-and-hipaa-compliance/#commentsThu, 26 Feb 2015 14:01:44 +0000John Zorabedianhttp://blogs.sophos.com/?p=28079]]>The cyber attack on Anthem BlueCross BlueShield is being called the largest data breach ever in the healthcare industry, and a warning of things to come as criminal gangs and even nation states take aim at valuable health data stored by insurers, hospitals, doctors’ offices and others.

Anthem said the breach affected nearly 80 million customers and employees, and the haul for cybercriminals included records that could be very valuable to the thieves – names, taxpayer IDs, birthdays, medical IDs, street addresses, email addresses, and employment data, including income.

Just as the massive breach of Sony last year sent shockwaves of concern throughout industry and government, the Anthem incident is raising awareness of just how vulnerable healthcare organizations are.

Even though medical records and credit card details weren’t stolen in the Anthem breach, experts say medical identity theft is on the rise because the type of data stored by healthcare organizations is of great value for crooks. Records like Social Security numbers can be used for many types of fraud and can’t be changed easily – while a credit card can be canceled, a patient whose Social Security number is stolen could be haunted by identity theft for a very long time.

“The kinds of data we’re seeing in these most recent breaches … could open up possibilities for very significant fraud, perhaps opening up a mortgage application in someone else’s name using the combination of data and information like the loss of a Social Security number,” James Lyne, global head of security research at Sophos, said in an interview with CNBC. “There could be very significant financial and social damage as a result of this kind of data loss.”

What happened in the Anthem breach is still being worked out by investigators, but the implications are clear – healthcare organizations are now in the cybercriminals’ sites, and the consequences are significant for their customers, and for those organizations’ regulatory compliance.

In the U.S., the sharing of healthcare information is regulated under the Healthcare Information Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Healthcare organizations suffering data breaches – according to the Ponemon Institute, about 90% of them have suffered data loss in the past two years – face significant fines and penalties for non-compliance, along with loss of reputation and the threat of civil law suits.

Under the HIPAA law, organizations need to disclose breaches to affected customers, major media outlets, and regulators in order to remain compliant. And they’re required to have a comprehensive data protection policy in place.

The FBI warned healthcare companies last year that the healthcare sector is far behind other industries in terms of cyber security and data protection. With the threat growing and compliance costs looming, healthcare organizations are wisely looking to invest in better security.

Data encryption is essential for keeping the data secure as it moves from one place to another.

A complete data protection solution should also ensure the protection of your users’ credentials. The weakest point of any system is always the user, so your security solution needs to enforce a strong password policy; and it should allow you to lock down access for an end user who suspects their identity has been compromised.

Users, and even administrators, don’t need access to all of an organization’s files, but many have it as part of their role, making them targets. An encryption solution can fix that with a separation of duties and roles. That way even if a user’s credentials are compromised, the hacker has no way to get access to files that were encrypted with keys they do not have access to.

Sophos Up2Date technology makes it easy to upgrade your Sophos UTM to the latest version.
There are two ways to apply an already-downloaded Up2Date package to the system:

Log on to WebAdmin, navigate to Management >> Up2Date >> Overview and use Update to latest version now to install the Firmware Up2Date. Click on the “Watch Up2Date Progress in new window” and an extra browser window will show the progress of the Up2Date installation. (The System administrator will receive a notification email once the Up2Date process has finished.)

Download the Up2Date package from our HTTP or FTP Server and install it under Management >> Up2Date >> Advanced:

If you want to provide feedback or want to discuss any of the UTM V9 features you should post it on our User Bulletin Board. Please indicate the version you are using to help us (and everyone helping you).

PlugX now uses a new backdoor technique – hiding the payload in the Windows registry instead of writing it as a file on disk – according to a new technical paper from SophosLabs Principal Researcher Gabor Szappanos.

Although not unique to PlugX, this backdoor approach is still uncommon and limited to a few relatively sophisticated malware families.

This new shellcode also indicates some heavy development in the PlugX factory. Both this kind of multi-stage shellcode and the external cryptor indicate that although the group is not top class in exploit development, in conventional malware development they show serious skills, which makes them dangerous.

To learn more technical details about this latest APT campaign, and to see malware samples and the exploit documents used in the campaign, download the paper here: PlugX Goes to the Registry (and India).

Learn more about PlugX

Gabor has been following the developments of PlugX for the past two years.

In his previous research, he’s documented how “common” malware authors, such as those behind the Zbot/Zeus financial malware, had begun borrowing techniques from APT groups.

Zbot is a widespread malware family that is designed primarily to steal banking data, including usernames, passwords and the one-time access codes used in two-factor authentication. Zbot also frequently deploys ransomware like CryptoLocker and CryptoWall to make money for its masters.

Gabor later showed that the borrowing of ideas was swinging back the other way, as APT groups in the “Rotten Tomato” campaign showed signs of borrowing code from the Zbot malware authors.

Gabor’s research shows us that patching vulnerabilities as updates become available and using other technologies (e.g., intrusion prevention systems, or IPS) to block known attack vectors should be highly effective in protecting against the majority of targeted and opportunistic attacks.

SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts. Keep up to date with our latest industry-leading research, technical papers, and security advice at Naked Security and the Sophos Blog.

Sign up for our newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.

Filed under: Corporate, SophosLabs Tagged: APT, Gabor Szappanos, India, malware, PlugX, Rotten Tomato, Zbot]]>http://blogs.sophos.com/2015/02/25/sophoslabs-research-uncovers-new-developments-in-plugx-apt-malware/feed/1johnzorabedianSophosLabsDeadly IT Sin #1 – are you guilty of mobile negligence?http://blogs.sophos.com/2015/02/24/deadly-it-sin-1-are-you-guilty-of-mobile-negligence/
http://blogs.sophos.com/2015/02/24/deadly-it-sin-1-are-you-guilty-of-mobile-negligence/#commentsTue, 24 Feb 2015 21:44:42 +0000John Zorabedianhttp://blogs.sophos.com/?p=28060]]>Smartphones and tablets are multiplying in your IT environment like crazy – whether it be the iPad Air used by your CEO, the latest Samsung Galaxy smartphone with its exposure to leaky Android apps, or the iPhone 6 your users are pestering you to configure for corporate use.

All those shiny new devices are a security and data loss risk you can’t afford to ignore.

You’ve heard of the seven deadly sins. Well, we think the 7 Deadly IT Sins are pretty bad too – and the sin of mobile negligence is number one our list of “thou shalt nots” if you want to keep out the hackers who are increasingly targeting these handheld security threats.

What is mobile negligence? It’s thinking that the only threat you need to worry about is cybercriminals targeting Windows.

So many of the apps your users install on their devices – often without your knowledge or consent – can expose vital data due to operating system vulnerabilities, buggy app security, and unwanted permissions.

Even the iPhone 6, despite its reputation for security, is vulnerable to data thieves if your users aren’t properly configuring and encrypting it with a secure passcode or Touch ID.

And Windows Phones and BlackBerrys have security issues, too – the Windows Store is loaded with crummy, scam apps; and BlackBerry 10 devices can now run Android apps that are definitely vulnerable to attackers.

It’s not only malware and bad apps you should worry about. As James Lyne, global head of security research at Sophos, says in the video below, configuration and software changes could leave any device insecure.

Mobile devices can access corporate email accounts, corporate Wi-Fi networks, and other data your users share via applications – and that means your IT security is literally in the hands of your users.

Our Free Antivirus and Security for Android (Sophos Mobile Security) accurately detected and blocked every one of the 2,950 samples of malicious Android apps used in the test – and without a single false positive.

AV-Test recognized our app with a Protection Score of 6.0 (out of a possible score of 6.0), and we also garnered the highest rank of 6.0 in Usability.

Our 100% malware detection rate beat out the antivirus products of other vendors including those from Symantec, Kaspersky and McAfee.

In the Usability category, we passed with flying colors, thanks to app performance that didn’t slow down the device or reduce battery life. Tests also showed that our Android antivirus didn’t flag any legitimate apps (out of nearly 3,000 tested from Google Play and legitimate third-party app stores).

Version 4.0 of Sophos Mobile Security also got perfect scores from AV-Test in November 2014.

Sophos Mobile Security is a robust yet lightweight app that protects your Android devices without compromising performance or battery life. Using up-to-the-minute intelligence from SophosLabs, it automatically scans apps as you install them.

Other features include a privacy advisor, data and device encryption, and per-app password protection that you can set up for sensitive apps like your email.

At Sophos, we believe you can reduce the cost of IT security, see greater efficiencies, and save time – without compromising on the quality of protection.

Here are three big ways public sector organisations – from local governments and schools to police, fire and emergency services – can benefit from consolidation with Sophos.

1. Greater security for less.

Government cost-cutting measures show no signs of slowing. Public sector organisations have no choice but to modernise, consolidate or die. From charities to councils, a wave of consolidation is breaking out across the whole sector. In the UK, the Chartered Institute of Management Accountants argues that a greater degree of professional performance management is needed to steer the UK out of the red.

By consolidating with Sophos, public sector organisations see cost savings on average of 40% – and without compromising on quality. With Sophos you get security from a vendor that’s a true leader in the industry.

2. The power of one – a single interface, one support organisation, one renewal.

Consolidation with a single vendor improves efficiency in many ways. You can see all your users and systems in a single, familiar, simplified interface, reducing the need for extra training on multiple solutions. Plus, you’ll only need to deal with one support organisation, and you can renew licenses all at once.

We can help you to consolidate solutions in order to realise cost savings, both in terms of license costs, cost of support and the total cost of ownership.

3. Products that work Better Together.

With disparate point solutions, you get less effective security, both because it’s difficult to apply policies consistently and because the parts don’t work together as a system for optimal protection. Sophos products work better together – across your network, antivirus, email, web, encryption, and mobile security needs. And Sophos adheres to the principle that security can be made simple.

Learn more about consolidation with Sophos

We’re vastly experienced in working with local authorities, police, fire and rescue services across the public sector.

Our solutions can benefit organizations of all sizes, anywhere in the world. And if you’re in the UK, we have some great resources to show you the benefits of working with Sophos.

Gabor Szappanos of SophosLabs evaluated the malware and APT campaigns of several groups that all leveraged a particular exploit — a sophisticated attack against a specific version of Microsoft Office.

In a just-published technical paper, Gabor details how none of the groups he analyzed were able to modify the attack enough to infect other versions of Office, even though several versions were theoretically vulnerable to the same type of attack.

Many groups’ efforts to modify the initial exploit resulted in buggy code and/or minimal changes to the original exploit. Interestingly, the APT groups — often billed as the most sophisticated of attackers — showed the lowest proficiency in both modification and QA. It was the “mainstream” or “opportunistic” criminal groups that were most effective in revising the code to suit their purposes.

Gabor points out, however, that these groups are in many cases still highly effective in infecting their targets and getting what they want (typically data or money). To use a physical world simile, it’s like they’re able to use lockpicks effectively, but they’re unable to effectively modify the lockpicks or craft new styles.

One conclusion, Gabor says, is that “if security researchers and system administrators follow and act upon vulnerability announcements, they are likely to be prepared for these groups.”

In other words, patching vulnerabilities as updates become available and using other technologies (e.g., intrusion prevention systems, or IPS) to block known attack vectors should be highly effective in protecting against the majority of targeted and opportunistic attacks.

However, he also warns, “one should never underestimate the malware authors mentioned in this report. They develop sophisticated Trojan families, and they manage to deploy them successfully to high profile organizations. The fact that they are not the masters of exploitation doesn’t mean that they are any less dangerous.”

“But they are not omnipotent either,” Gabor adds. “Understanding their limitations helps us to prepare our defenses.”

SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts. Keep up to date with our latest industry-leading research, technical papers, and security advice at Naked Security and the Sophos Blog.

Sign up for our newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.

Sophos Up2Date technology makes it easy to upgrade your Sophos UTM to the latest version.
There are two ways to apply an already-downloaded Up2Date package to the system:

Log on to WebAdmin, navigate to Management >> Up2Date >> Overview and use Update to latest version now to install the Firmware Up2Date. Click on the “Watch Up2Date Progress in new window” and an extra browser window will show the progress of the Up2Date installation. (The System administrator will receive a notification email once the Up2Date process has finished.)

Download the Up2Date package from our HTTP or FTP Server and install it under Management >> Up2Date >> Advanced:

If you want to provide feedback or want to discuss any of the UTM V9 features you should post it on our User Bulletin Board. Please indicate the version you are using to help us (and everyone helping you).

You are free to use our new demo server environment without hassle, nags, or registration. Enjoy!

Eric Bégoc
Senior Product Manager

Filed under: Network Tagged: up2date, UTM, utm9]]>http://blogs.sophos.com/2015/02/02/utm-up2date-9-307-released/feed/0ericbegocnsgSophos products and the GHOST vulnerability affecting Linuxhttp://blogs.sophos.com/2015/01/29/sophos-products-and-the-ghost-vulnerability-affecting-linux/
http://blogs.sophos.com/2015/01/29/sophos-products-and-the-ghost-vulnerability-affecting-linux/#commentsThu, 29 Jan 2015 19:57:22 +0000Editorhttp://blogs.sophos.com/?p=27953]]>In the last couple of days, a widespread Linux vulnerability known as GHOST has been receiving a lot of attention in the security community. In theory, this vulnerability can allow an attacker to remotely execute code on a Linux computer. There is already proof of concept code that puts this theory into practice, and it is expected that real world attacks are just around the corner.

The Sophos product teams have been thoroughly investigating to determine which of our products are affected and what is necessary to address those that are.

Many Sophos products do not use Linux, or the glibc software at the heart of the vulnerability, and are therefore unaffected. This includes Sophos Endpoint Protection (Antivirus) for Windows, Mac and Unix; Secure Email Gateway; PureMessage for Microsoft Exchange; Mobile Control and likely others that we are still verifying.

However, Sophos UTM, Sophos UTM Manager (SUM), Secure Web Gateway, Sophos Secure OS for AWS, the Sophos Cloud management infrastructure, and the SAV for vShield virtual appliance are all built on the Linux platform and include the glibc software that is responsible for the vulnerability. The extent to which this vulnerability can be exploited varies from product to product. In all cases, the product teams are working quickly to update vulnerable software. For information about update availability, see this knowledgebase article.

Our products that customers install and run on their own installations of Linux (e.g., SAV for Linux, PureMessage for Unix) are not believed to introduce a vulnerability. However, the customer’s underlying Linux system may be vulnerable. Customers are encouraged to test and install vendor-supplied security patches for their Linux distributions to protect against GHOST and other vulnerabilities.

SophosLabs is monitoring for methods and attacks targeting this vulnerability and will use the full capabilities of our product line to deliver protection for customers.